Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-11965

npm install fails with 500 error when user has Group level privileges

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0, 3.2.1
    • Fix Version/s: 3.3.0
    • Component/s: NPM, Security
    • Labels:
    • Story Points:
      0.5
    • Sprint:
      Sprint 89

      Description

      If a user has read privileges to a npm group, but not the underlying npm proxy, then the "npm install <package>" will get a 500 response for any package that is not locally cached in the npm proxy.

      Steps to reproduce:
      1) Setup a npm group npm-all that has npm proxy npmjs as a member
      2) Setup a user that has access to group repo npm-all (privilege nx-repository-view-npm-npm-all).
      3) Try to install a npm package that is not locally cached in proxy npmjs

      The npm install command will fail with something like the following:

      npm http fetch GET http://localhost:8081/repository/npm-all/glob/-/glob-7.1.1.tgz
      npm http fetch 500 http://localhost:8081/repository/npm-all/glob/-/glob-7.1.1.tgz
      npm info retry will retry, error on last attempt: Error: server error 500
      

      Nexus logs will show the following:

      2016-12-21 11:21:38,899+0000 WARN  [qtp1898010376-415] test org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service failure
      java.lang.RuntimeException: java.io.IOException: org.apache.shiro.authz.AuthorizationException
      	at com.google.common.base.Throwables.propagate(Throwables.java:160) [na:na]
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getUrl(NpmProxyFacetImpl.java:142) [na:na]
      	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:210) [na:na]
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.fetch(NpmProxyFacetImpl.java:62) [na:na]
      	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:166) [na:na]
      	at org.sonatype.nexus.repository.proxy.ProxyHandler.handle(ProxyHandler.java:49) [na:na]
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
      	at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39) [na:na]
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
      	at org.sonatype.nexus.repository.view.Context$proceed.call(Unknown Source) [na:na]
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyRecipe$_closure1.doCall(NpmProxyRecipe.groovy:160) [na:na]
      ...
      ...
      Caused by: java.io.IOException: org.apache.shiro.authz.AuthorizationException
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageRoot(NpmProxyFacetImpl.java:347) [na:na]
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageVersion(NpmProxyFacetImpl.java:299) [na:na]
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getUrl(NpmProxyFacetImpl.java:138) [na:na]
      	... 131 common frames omitted
      Caused by: org.apache.shiro.authz.AuthorizationException: null
      	at org.sonatype.nexus.repository.security.SecurityFacetSupport.ensurePermitted(SecurityFacetSupport.java:72) [na:na]
      	at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:48) [na:na]
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
      	at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:46) [na:na]
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
      	at org.sonatype.nexus.repository.view.Context.start(Context.java:114) [na:na]
      	at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:60) [na:na]
      	at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52) [na:na]
      	at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43) [na:na]
      	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageRoot(NpmProxyFacetImpl.java:336) [na:na]
      	... 133 common frames omitted
      

      Workaround If you give that user a read privilege to the proxy npmjs (nx-repository-view-npm-npmjs-read) then the user should be able to install the package that is not already cached.

      Group level permissions should be transitive, therefore use has the same privileges for all member repositories.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bradbeck Brad Beck
              Reporter:
              msurani Mahendra Surani
              Last Updated By:
              Peter Lynch
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title